Legal Nigeria

ARE SMEs EXEMPTED FROM DATA COMPLIANCE UNDER THE NDPR? By Timothy Opurum,Esq.

The Nigerian Data Protection Regulation (NDPR), since its commencement in January, 2019, has defined the ways and manners in which data is collected and processed in Nigeria. The Regulation, being the principal legal apparatus that regulates data processing in the country, has provided beautiful legal regimes (this is not to say that it does not admit of possible loopholes), regulating the affairs of data collectors.


The National Information Technology Development Agency (NITDA), being the agency saddled with the duty of ensuring adequate compliance with the provisions of the Regulation, since the commencement of the Regulation, has been up and doing, ensuring adequate compliance. In pursuit of its obligation, the NITDA, issued a directive, mandating all data controllers (organizations that collect data) in Nigeria to file in their Annual Data Audit Report. This directive, was however, sent specifically to big companies with high volume of data collection such as telecoms companies, banks, other finance houses etc., with no direct reference or demand to SMEs. By the provision of the Regulation, companies were mandated to carryout a detailed audit of their privacy and data protection practices within 6 months of the commencement of the Regulation. (Section 3.1.5 of the NDPR 2019).


Interestingly, many organizations defaulted in meeting the deadline, of course, owing to obvious technical reasons. As a result, the Agency gave an extension till October 2019. Yet, many organizations were unable to meet the extended deadline still. Appeals were consequently made to NITDA for further extension before the outbreak of COVID-19 pandemic which necessitated another eventual extension.


In all of these, one question that is left unanswered is whether SMEs are exempted from complying with the NDPR in recognition of the fact that the Agency seems be interested only in companies for data compliance. This, we shall now examine below.

It is no news that data protection laws vary from country to country. In some countries, Australia and Canada for instance, their data protection laws exclude small businesses from data protection compliance. Similarly, in other climes like Japan, businesses with data sets that are less than 5000 entries are equally exempted. While there are other variants of exemptions available for some class of data collection in some other countries e.g. type of data subject, sensitivity of data, source of data etc.


So, what about Nigeria, does the NDPR exempt small businesses (SMEs) from compliance?
In understanding this, it is expedient to consider who a data controller is.
The Regulation defines a Data Controller as –
“A person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed”.
The Regulation also defines a Data Administrator as –
“A person or organization that processes data.”


From the foregoing definitions, it is evident that SMEs or businesses which its business objects require them to process data (no matter the quantum of data it processes) are equally regarded as data controllers. Furthermore, no part or section of the Regulation makes provision exempting small businesses from filing their data audit reports as and when due as well as to comply with other provisions of the Regulation.
So why is the Agency concentrating only on big companies? Why are they not disturbing small businesses?
We must understand that data regulation in Nigeria is quite novel. Many organizations, including the Agency itself, are still trying to gain appreciable understanding of the regime hence the need to firstly deal formidably with the big companies, thereby setting a pathway for the small businesses. This however does not mean that these small businesses are exempted or suspended in anyway from complying with the Regulation, including having a DPO, carrying out its data audit, filing its report as and when due, and ensuring compliance with the other provisions of the Regulation.
Finally, it is advisable for small businesses owners involved in data processing, to get a Data Protection Officer (DPO) who will assist in data protection compliance. The need for this cannot be overemphasized. Apart from suffering possible sanctions from the Agency for noncompliance, your business (or you) may stand the risk of a possible law suit for data breach, and this, as you may know, may cause irredeemable damages to your business.

Timothy Opurum is a transactional lawyer with in depth experience in debt recovery, data protection, litigation, intellectual property and company secretarial services.